samba - Oct 2017 - Opensolaris-ish joins but does not seem to be valid

We have a product that is similar to Opensolaris. It joins to the domain (Samba
version 4.7.0) without error and I can verify that a computer object is created
in the domain for it.

However, the command "getent passwd" which I would expect to return a
list of
all domain users, only returns a list of local users.

I am confident I do not have a misconfigured file because if I get a kerberos
ticket as the Administrator (i.e. kinit -UAdministrator) and then issue
"getent
passwd", the list returns as I would expect.

The host is populated with a keytab after joining to the domain and it appears
to have good entries: "host/hostname.example.com at EXAMPLE.COM", etc.
And when I
do a "klist" with no prior kinit, it says it says the default
principal is
"host/hostname at EXAMPLE.COM" which is listed in the keytab.

Since I am on 4.7.0, I've also turned on the authentication auditing and I
can
see the authentication attempt when I issue "getent passwd". But
instead of
being host specific, it registers the user as [NT AUTHORITY]\[ANONYMOUS LOGON].

There is an additional setup we have to run for this host, setting up directory
based mappings for idmap to resolve UIDs
(http://web.archive.org/web/20090416045554/http://docs.sun.com:80/app/docs/doc/820-2429/createidmappingstrategy?a=view).
That command registers as the host authority in the DC logs, i.e.
"[EXAMPLE]\[HOSTNAME$][SID]"; however, on the client side, the process
returns
as "sasl/GSSAPI bind" error. As above, if I do a kinit as
Administrator
beforehand, the command succeeds successfully. 

It seems like something is wrong with the computer account, but it's not
like I
can set the computer accounts password and manually trying kiniting as it. Any
suggestions about what might be wrong or how to further troubleshoot?

Mike Ray

On Mon, 9 Oct 2017 18:04:45 -0500 (CDT)
Mike Ray via samba <samba at lists.samba.org> wrote:
> We have a product that is similar to Opensolaris. It joins to the
> domain (Samba version 4.7.0) without error and I can verify that a
> computer object is created in the domain for it.
> 
> However, the command "getent passwd" which I would expect to
return a
> list of all domain users, only returns a list of local users.
> 
> I am confident I do not have a misconfigured file because if I get a
> kerberos ticket as the Administrator (i.e. kinit -UAdministrator) and
> then issue "getent passwd", the list returns as I would expect.
> 
> The host is populated with a keytab after joining to the domain and
> it appears to have good entries:
> "host/hostname.example.com at EXAMPLE.COM", etc. And when I do a
"klist"
> with no prior kinit, it says it says the default principal is
> "host/hostname at EXAMPLE.COM" which is listed in the keytab.
> 
> Since I am on 4.7.0, I've also turned on the authentication auditing
> and I can see the authentication attempt when I issue "getent
> passwd". But instead of being host specific, it registers the user as
> [NT AUTHORITY]\[ANONYMOUS LOGON].
> 
> There is an additional setup we have to run for this host, setting up
> directory based mappings for idmap to resolve UIDs
>
(http://web.archive.org/web/20090416045554/http://docs.sun.com:80/app/docs/doc/820-2429/createidmappingstrategy?a=view).
> That command registers as the host authority in the DC logs, i.e.
> "[EXAMPLE]\[HOSTNAME$][SID]"; however, on the client side, the
> process returns as "sasl/GSSAPI bind" error. As above, if I do a
> kinit as Administrator beforehand, the command succeeds successfully. 
> 
> It seems like something is wrong with the computer account, but it's
> not like I can set the computer accounts password and manually trying
> kiniting as it. Any suggestions about what might be wrong or how to
> further troubleshoot?
> 
> Mike Ray
> 
Can you post your smb.conf 

Rowland

----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Tuesday, October 10, 2017 2:23:02 AM
> Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be valid
> On Mon, 9 Oct 2017 18:04:45 -0500 (CDT)
> Mike Ray via samba <samba at lists.samba.org> wrote:
> 
>> We have a product that is similar to Opensolaris. It joins to the
>> domain (Samba version 4.7.0) without error and I can verify that a
>> computer object is created in the domain for it.
>> 
>> However, the command "getent passwd" which I would expect to
return a
>> list of all domain users, only returns a list of local users.
>> 
>> I am confident I do not have a misconfigured file because if I get a
>> kerberos ticket as the Administrator (i.e. kinit -UAdministrator) and
>> then issue "getent passwd", the list returns as I would
expect.
>> 
>> The host is populated with a keytab after joining to the domain and
>> it appears to have good entries:
>> "host/hostname.example.com at EXAMPLE.COM", etc. And when I
do a "klist"
>> with no prior kinit, it says it says the default principal is
>> "host/hostname at EXAMPLE.COM" which is listed in the keytab.
>> 
>> Since I am on 4.7.0, I've also turned on the authentication
auditing
>> and I can see the authentication attempt when I issue "getent
>> passwd". But instead of being host specific, it registers the user
as
>> [NT AUTHORITY]\[ANONYMOUS LOGON].
>> 
>> There is an additional setup we have to run for this host, setting up
>> directory based mappings for idmap to resolve UIDs
>>
(http://web.archive.org/web/20090416045554/http://docs.sun.com:80/app/docs/doc/820-2429/createidmappingstrategy?a=view).
>> That command registers as the host authority in the DC logs, i.e.
>> "[EXAMPLE]\[HOSTNAME$][SID]"; however, on the client side,
the
>> process returns as "sasl/GSSAPI bind" error. As above, if I
do a
>> kinit as Administrator beforehand, the command succeeds successfully.
>> 
>> It seems like something is wrong with the computer account, but
it's
>> not like I can set the computer accounts password and manually trying
>> kiniting as it. Any suggestions about what might be wrong or how to
>> further troubleshoot?
>> 
>> Mike Ray
>> 
> 
> Can you post your smb.conf
> 
> Rowland
> 
Rowland,

Here's the smb.conf for one of the DCs (I'm working with Mike on this):
[global]
        netbios name = DC3
        realm = EXAMPLE.COM
        workgroup = EXAMPLE
        server role = active directory domain controller
        allow dns updates = nonsecure
        dns forwarder = 192.168.0.2
        idmap_ldb:use rfc2307 = Yes
        printcap name = /dev/null
        load printers = no
        printing = bsd
        ntp signd socket directory = /var/run/samba/ntp_signd
        #acl:search = no
        ldap server require strong auth = no
        winbind sealed pipes = false
        client signing = off
        require strong key = false
        client ldap sasl wrapping = plain
        log level = 1 auth_audit:10

[netlogon]
        path = /var/lib/samba/sysvol/example.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Thanks,

Andrew